<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta name="verify-v1" content="f4Ur0U3ujvhVMJsMxYQzKfWHmH5VQq895mWGFemhGoo=" > 
<meta http-equiv="content-type" content="text/html; charset=utf-8" /> 
<meta http-equiv="Content-Language" content="en" /> 
<title>::  Bonsai - Information Security Services  ::</title> 
<meta name="robots" content="index, follow" /> 
<meta name="description" content="Bonsai is a company involved in providing professional computer information security services. Bonsai provides Application and Network security testing and trainings." /> 
<meta name="keywords" content="penetration test, penetration testing, ethical hacking, web application penetration test, web application security training, training, security training, application security, web application security, CEH, CISSP, exploits, exploit, hacking, pen testing, pen test, pen testing tool, w3af, vulnerability scanning, vulnerability scanners, vulnerability assessment" /> 
<link href="/css/layout.css" rel="stylesheet" type="text/css" /> 
<link href="favico.ico" rel="shortcut icon"/> 
 
</head> 
 
<body> 
<div id="wrapper"> 
	<div id="back-page"> 
        
 
 
		<div id="header"> 
			<a class="left" href="/"><img src="/images/bonsai-information-security.jpg" alt="Bonsai Information Security"/></a> 
			<div class="language"> 
 
				
				
				<a href="/en/"><img src="/images/bonsai-information-security-english.gif" alt="English" />&nbsp;&nbsp;English</a> 
				<a href="/es/"><img src="/images/bonsai-information-security-spanish.gif" alt="Espa&ntilde;ol" />&nbsp;&nbsp;Espa&ntilde;ol</a> 
			</div> 
		</div> 
		<!-- end header --> 
		<div id="menu"> 
		   			<ul> 
				<li class="active" ><a href="/en/">Home</a></li> 
				<li  ><a href="/en/services/">Services</a></li> 
				<li  ><a href="/en/education/">Education</a></li> 
				<li  ><a href="/en/research/">Research</a></li> 
				<li  ><a href="/en/clients/">Clients</a></li> 
				<li  ><a href="/en/about-us/">About us</a></li> 
				<li  ><a href="/blog/">Blog</a></li> 
				<li  ><a href="/en/contact/">Contact</a></li> 
			</ul> 
 
		</div> 
		<!-- end menu --> 
		<div id="page"> 
			<div id="content"> 
				<img class="left" src="images/bonsai-information-security-about-us.gif" alt="Bonsai Information Security" /> 
				<p>Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully <b>committed to quality service</b>, and focused on our customers’ real needs.</p> 
				<p>Our areas of expertise are as follows:</p> 
				<ol> 
					<li><a href="/en/services/web-application-penetration-testing.php">Web Application Penetration Testing</a></li> 
					<li><a href="/en/services/penetration-testing.php">Penetration Testing</a></li> 
					<li><a href="/en/services/code-review.php">Code Review</a></li> 
					<li><a href="/en/services/tcp-ip-stack-testing.php">TCP/IP Stack Testing</a></li> 
					<li><a href="/en/education/">Education</a></li> 
					<li><a href="/en/research/">Research</a></li> 
				</ol> 
				<div class="boxed"> 
 
				<h2 class="title">News and Updates</h2> 
				<div class="content"> 
				
				<a href='http://www.bonsai-sec.com/blog/index.php/owasp-day-fiuba-argentina/'><h2>OWASP Day @ FIUBA Argentina</h2></a> 
<p><p>El día 30 de Junio de 2010 se llevó a cabo el OWASP Day en la sede de Paseo Colón de la Facultad de Ingeniería de la Universidad de Buenos Aires. Se realizaron charlas relacionadas con la Seguridad en Aplicaciones Web y otros aspectos relacionados a la Seguridad de la Información.</p> 
<p><strong>Bonsai Information Security participó siendo Sponsor</strong> y presentando a Nahuel Grisolía, Project Leader de Bonsai, como ponente en una de las charlas.</p> 
<p>Más información sobre el OWASP Day <a href="http://www.owasp.org/index.php/OWASP_Day_Argentina_2010" target="_blank">aquí</a>.</p> 
<p>A continuación, las Slides que se utilizaron en el evento:</p> 
<object id="__sse4818190" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
width="350" height="435" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><param name="src" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=presentacionv1-0-100722135339-phpapp02&amp;stripped_title=presentation-owasp-day-fiubaar" /><param name="name" value="__sse4818190" /><param name="allowfullscreen" value="true" /><embed id="__sse4818190" type="application/x-shockwave-flash"
width="450" height="435" src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=presentacionv1-0-100722135339-phpapp02&amp;stripped_title=presentation-owasp-day-fiubaar" name="__sse4818190" allowscriptaccess="always" allowfullscreen="true"></embed></object> 
</p> 
 
 
<br><br><br><hr><a href='http://www.bonsai-sec.com/blog/index.php/curso-de-seguridad-en-aplicaciones-web/'><h2>Curso de Seguridad en Aplicaciones Web</h2></a> 
<p><h1 style="text-align:
left;"><strong></strong></h1> 
<p>El training de Web Application Security de Bonsai se focaliza en el descubrimiento y explotación, manual y automático, de vulnerabilidades en aplicaciones Web. Durante este curso de dos dias, se presentarán una serie de<strong> temas teóricos seguidos de prácticas hands-on</strong> realizadas por los asistentes. En cada práctica encontrarás vulnerabilidades para explotar, cada una con un diferente nivel de complejidad, las que desafiarán tu comprensión del tema.</p> 
<p> 
<h3"><strong>Fechas, Ubicación, Cupos y Beneficios</strong></h3> 
<ul> 
<li>Consta de <strong>dos días completos de 9 a 18 horas</strong>. Los días asignados para el próximo training son el Martes  27 y Miércoles 28 de Julio de 2010.</li> 
<li>Se realizará en las aulas multimediales de IT Training Center, Sarmiento 1113, Ciudad Autónoma de Buenos Aires, Capital Federal.</li> 
<li>Al mediodia, los asistentes poseen el beneficio de almorzar en Il&#8217;Gato sin cargo.</li> 
<li>Consultar aquellos que deseen un Estacionamiento con precio preferencial.</li> 
<li>Capacidad: 16 asistentes</li> 
</ul> 
<p> 
<h3><strong>Más Información</strong></h3> 
<address style="text-align: center;"><a href="../../es/education/web-security-buenos-aires.php"><strong>http://www.bonsai-sec.com/es/education/web-security-buenos-aires.php</strong></a></address> 
<address style="text-align: justify;"> </address> 
</p> 
 
 
<br><br><br><hr><a href='http://www.bonsai-sec.com/blog/index.php/breaking-weak-captcha-in-26-lines-of-code/'><h2>Breaking Weak CAPTCHA in 26 Lines of Code</h2></a> 
<p><p>During one of our latest engagements we found a <em><strong>weak CAPTCHA implementation</strong></em> being used in the target Web application. The assessment was being performed on-site, and after identifying this vulnerability we started to talk with the CSO about how easy it would be to break it.</p> 
<p><img class="size-full wp-image-268 alignleft" title="jxt9" src="http://www.bonsai-sec.com/blog/wp-content/uploads/jxt9.gif" alt="jxt9" width="58" height="28" /><img class="size-full wp-image-267 alignleft" title="e4ya" src="http://www.bonsai-sec.com/blog/wp-content/uploads/e4ya.gif" alt="e4ya" width="58" height="28" /><img class="size-full wp-image-266 alignleft" title="9ko0" src="http://www.bonsai-sec.com/blog/wp-content/uploads/9ko03.gif" alt="9ko0" width="58" height="28" /></p> 
<p>The general consensus of course was <strong><em>&#8220;very easy&#8221;</em></strong>. The problem was that we were unable to find any good CAPTCHA breaking software that average joe could download and run on his computer; so I spent some minutes creating a simple Python script that  returns the CAPTCHA solution for this particular implementation.</p> 
<p>Before we dig into the script, lets analyze why this CAPTCHA is weak (might not be obvious for some readers):</p> 
<ol> 
<li>The letters are not rotated</li> 
<li>All letters have the same height</li> 
<li>All letters have the exact same color</li> 
<li>The letters are not deformed in any way</li> 
<li>The background noise color is the same for the whole image</li> 
</ol> 
<p>Now, lets see the code that breaks this CAPTCHA:</p> 
<pre class="brush:python">from PIL import Image
 
img = Image.open('input.gif')
img = img.convert("RGBA")
 
pixdata = img.load()
 
# Clean the background noise, if color != black, then set to white.
for y in xrange(img.size[1]):
    for x in xrange(img.size[0]):
        if pixdata[x, y] != (0, 0, 0, 255):
            pixdata[x, y] = (255, 255, 255, 255)
 
img.save("input-black.gif", "GIF")
 
#   Make the image bigger (needed for OCR)
im_orig = Image.open('input-black.gif')
big = im_orig.resize((116, 56), Image.NEAREST)
 
ext = ".tif"
big.save("input-NEAREST" + ext)
 
#   Perform OCR using pytesser library
from pytesser import *
image = Image.open('input-NEAREST.tif')
print image_to_string(image)</pre> 
<p>This simple script works with ~ 90% of the CAPTCHA images created using this specific implementation. Enjoy!</p> 
</p> 
 
 
<br><br><br>					
					</div> 
				</div>				
			</div> 
			<!-- end content --> 
			<div id="sidebar"> 
				<ul> 
	
					<li id="submenu"> 
						<h2>Quick Links</h2> 
						<ul> 
							<li><a href="/en/contact/get-a-quote.php"><b><i>Get a Quote</i></b></a></li> 
							<li><a href="/en/education/web-application-security-training.php">Web Application Security Training</a></li> 
							<li><a href="/en/services/web-application-penetration-testing.php">Web Application Penetration Testing</a></li> 
							<li><a href="/en/education/penetration-test-training.php">Penetration Test Training</a></li> 
							<li><a href="/en/services/penetration-testing.php">Penetration Testing</a></li> 
							<li><a href="/en/education/w3af-training.php">w3af Training</a></li> 
						</ul> 
					</li> 
					
				</ul> 
			</div> 
			<!-- end sidebar --> 
			<div style="clear: both;">&nbsp;</div> 
		</div> 
		<!-- end page --> 
	</div>	
	<!-- end back-page --> 
	<div id="footer">  <div id="footer-content"> 
    <ul id="footer-nav"> 
 
    <li><a href="/en/services/">Services</a> 
      <ul> 
      <li><a href="/en/services/web-application-penetration-testing.php">Web Application Penetration Testing</a></li> 
      <li><a href="/en/services/penetration-testing.php">Penetration Testing</a></li> 
      <li><a href="/en/services/code-review.php">Code Review</a></li> 
      <li><a href="/en/services/tcp-ip-stack-testing.php">TCP/IP Stack Testing</a></li> 
 
      </ul> 
    </li> 
    <li><a href="/en/education/">Education</a> 
      <ul> 
      <li><a href="/en/education/web-application-security-training.php">Web Application Security Training</a></li> 
      <li><a href="/en/education/penetration-test-training.php">Penetration Test Training</a></li> 
      <li><a href="/en/education/w3af-training.php">w3af Training</a></li> 
 
      </ul> 
    </li> 
    <li><a href="/en/research/">Research</a> 
      <ul> 
      <li><a href="/en/research/w3af.php">w3af</a></li> 
      <li><a href="/en/research/moth.php">moth</a></li> 
      <li><a href="/en/research/untidy-xml-fuzzer.php">untidy</a></li> 
      <li><a href="/en/research/vulnerability.php">Vulnerabilities</a></li> 
 
      </ul> 
    </li> 
    <li><a href="/en/about-us/">About us</a> 
      <ul> 
          <li><a href="/blog/">Blog</a></li> 
          <li><a href="/en/clients/">Clients</a></li> 
          <li><a href="/en/about-us/mission-vision-values.php">Mission, Vision and Values</a></li> 
          <li><a href="/en/about-us/founder.php">Founder</a></li> 
      </ul> 
    </li> 
    <li><a href="/en/contact/">Contact</a> 
      <ul> 
            <li><a href="/en/contact/get-a-quote.php">Get a Quote</a></li> 
            <li><a href="/en/contact/">Call us</a></li> 
            <li><a href="/en/contact/">Email</a></li> 
      </ul> 
    </li> 
 
    </ul> 
 
    <p id="legal">Copyright (c) 2010 Bonsai Information Security. All Rights Reserved</p> 
 
  </div> <!-- /footer-content --> 
 
 
	</div> 
	<!-- end footer --> 
</div> 
<!-- end wrapper --> 
<script type="text/javascript"> 
	var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
	document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script> 
<script type="text/javascript"> 
try {
		var pageTracker = _gat._getTracker("UA-326838-3");
		pageTracker._trackPageview();
	} 
	catch(err) {}
</script> 
 
</body> 
</html> 
